Juan Tapiador is the leader of the UC3M team at the Department of Computer Science, Universidad Carlos III de Madrid. His team is developing tools to assist with promoting security and privacy analysis of software. Read our interview with him to learn more about what he and his team are working on, their work’s technical elements, and what role TRUST aWARE’s framework plays. Juan also identifies what he sees as the evolving future of cybersecurity; check it out.

• What is your role in the project? 

I am the leader of the UC3M team within the project. Our main role in the project is in WP2, where we are developing static analysis tools to assist in the security and privacy analysis of software. These tools produce signals that are integrated with others produced by different tools to inform analysts and end-users. We are also conducting studies aimed at understanding the current security and privacy landscape of certain classes of important software, such as mobile apps and browsers.

• What do you think are the biggest challenges facing cybersecurity research today?

One of the aspects that make cybersecurity research really challenging (and exciting) is that fundamental challenges have not changed much in the last decades. I start one of my security courses discussing with my students a 1979 paper that enumerates the top software security issues back at the time. Most of such issues are still haunting us in 2023. The reasons why the overall security of systems and products is typically very deficient are multiple and have to do with technical and non-technical issues.

• How do you see the field of cybersecurity evolving over the next few years? What emerging technologies or trends are you most excited about?

There is a new wave of upcoming cybersecurity regulations in Europe and in the US with the potential to have a significant impact on the industry and research landscape. The EU Cyber Resiliency Act will force vendors to raise the bar in terms of the security of their products. This will surely trigger some interesting research efforts in areas such as supply-chain security, a fundamental topic that has been gaining more and more importance lately.

• What tools are you developing in the framework of TRUST aWARE? What are their expected impacts?

During the first part of the project we have focused our efforts on tools for the Android ecosystem. Our choice of this platform is motivated by its market penetration, with more than 3B active users in the world that access Internet content and service primarily from their smartphones. The tools that we are developing can analyse an app and extract from its code meaningful signals about its behaviour, with emphasis on potentially insecure or privacy-harmful activities. The key innovation aspects of our approach and the main differences with respect to similar existing tools are twofold. On the one hand, we pay particular attention to fast tools aimed at conducting large-scale analysis. One project goal is to produce a large dataset of behavioural analysis outputs across hundreds of thousands of apps. To make this possible, we need fast tools. On the other hand, we are focusing on analysis tasks for which current tools are very limited or inexistent, such as analysing browser APIs and software that uses them.

• What is the core difference between static and dynamic analysis? Can you provide an example of how it can support privacy & security analysis?

Static analysis provides insights about a piece of code without running it. Dynamic analysis runs the program in an instrumented environment and reports behaviours that have been observed. Both approaches are complementary and can inform each other. One example is in privacy analysis of mobile apps, where static analysis of an app’s manifest reveals the permissions requested by the app, its main software components, and perhaps other interesting pieces of evidence, such as URLs that are embedded in the code. Dynamic analysis will report whether those permissions are actually used and in which context, and if a particular URL is contacted and what information is exchanged with the endpoint.